Your tax dollars just bought cloud services that cybersecurity experts privately trashed for years. Internal federal reviewers called Microsoft’s Government Community Cloud High everything from “a pile of shit“ to a “pile of spaghetti pies” while simultaneously green-lighting it for the nation’s most sensitive data, according to a ProPublica investigation.
The Documentation Disaster
Missing encryption diagrams and legacy code tangles created what reviewers called persistent “unknowns.”
Microsoft’s path to FedRAMP High authorization reads like a cybersecurity nightmare. Federal reviewers flagged “lack of proper detailed security documentation” spanning years, including missing data flow diagrams for basic encryption services like Exchange Online. You know that sinking feeling when legacy enterprise systems have zero documentation? Multiply that by national security implications.
The technical debt was staggering. Reviewers described Microsoft’s underlying architecture as interconnected “spaghetti pies” of legacy code, creating what they called “unknowns” that persisted right through the December 26, 2024 authorization. Yet the approval went through anyway, complete with bureaucratic caveats that essentially said “buyer beware.”
The Pressure Campaign That Worked
Justice Department and Microsoft orchestrated influence that overcame expert security concerns.
Behind the scenes, the Justice Department and Microsoft orchestrated a pressure campaign that would make Netflix’s “House of Cards” writers jealous. When FedRAMP briefly paused the GCC High review in 2023 after Chinese hackers infiltrated the system, the pause lasted just long enough to avoid political embarrassment.
The revolving door spun faster than a server farm cooling fan. Former Justice Department CIO Melinda Rogers, who had authorized GCC High use, landed at Microsoft in 2025. Ex-Deputy Attorney General Lisa Monaco joined as Microsoft president the same year. Meanwhile, FedRAMP’s budget got slashed to $10 million under DOGE efficiency initiatives, leaving fewer staff to scrutinize more authorizations.
When Assessors Can’t Assess
Third-party firms paid by Microsoft faced conflicts while raising security concerns.
Third-party assessors like Kratos and Coalfire, paid directly by Microsoft, back-channeled concerns to FedRAMP about incomplete access to security information. Kratos faced corrective action but maintained GCC High met requirements anyway. It’s like hiring your own home inspector and wondering why they keep finding structural problems but approving the sale.
The broader context makes this even more concerning. Russian and Chinese breaches targeting Microsoft services in 2020 and 2023 should have triggered enhanced scrutiny. After these incidents, widespread government adoption and industry pressure still trumped security expertise.
Federal cybersecurity decisions affect every contractor handling sensitive data and every taxpayer funding these systems. When expert assessment gets overruled by bureaucratic convenience, everyone’s security suffers.
